CVE-2019-10072
First published: Fri Jun 21 2019(Updated: )
Apache Tomcat is vulnerable to a denial of service, caused by HTTP/2 connection window exhaustion on write. By failing to send WINDOW_UPDATE messages, a remote attacker could exploit this vulnerability to block threads on the server and cause a denial of service.
Credit: security@apache.org security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jws5-ecj | <0:4.12.0-1.redhat_1.1.el6 | 0:4.12.0-1.redhat_1.1.el6 |
| redhat/jws5-javapackages-tools | <0:3.4.1-5.15.11.el6 | 0:3.4.1-5.15.11.el6 |
| redhat/jws5-jboss-logging | <0:3.3.2-1.Final_redhat_00001.1.el6 | 0:3.3.2-1.Final_redhat_00001.1.el6 |
| redhat/jws5-tomcat | <0:9.0.21-10.redhat_4.1.el6 | 0:9.0.21-10.redhat_4.1.el6 |
| redhat/jws5-tomcat-native | <0:1.2.21-34.redhat_34.el6 | 0:1.2.21-34.redhat_34.el6 |
| redhat/jws5-tomcat-vault | <0:1.1.8-1.Final_redhat_1.1.el6 | 0:1.1.8-1.Final_redhat_1.1.el6 |
| redhat/jws5-ecj | <0:4.12.0-1.redhat_1.1.el7 | 0:4.12.0-1.redhat_1.1.el7 |
| redhat/jws5-javapackages-tools | <0:3.4.1-5.15.11.el7 | 0:3.4.1-5.15.11.el7 |
| redhat/jws5-jboss-logging | <0:3.3.2-1.Final_redhat_00001.1.el7 | 0:3.3.2-1.Final_redhat_00001.1.el7 |
| redhat/jws5-tomcat | <0:9.0.21-10.redhat_4.1.el7 | 0:9.0.21-10.redhat_4.1.el7 |
| redhat/jws5-tomcat-native | <0:1.2.21-34.redhat_34.el7 | 0:1.2.21-34.redhat_34.el7 |
| redhat/jws5-tomcat-vault | <0:1.1.8-1.Final_redhat_1.1.el7 | 0:1.1.8-1.Final_redhat_1.1.el7 |
| redhat/jws5-ecj | <0:4.12.0-1.redhat_1.1.el8 | 0:4.12.0-1.redhat_1.1.el8 |
| redhat/jws5-javapackages-tools | <0:3.4.1-5.15.11.el8 | 0:3.4.1-5.15.11.el8 |
| redhat/jws5-jboss-logging | <0:3.3.2-1.Final_redhat_00001.1.el8 | 0:3.3.2-1.Final_redhat_00001.1.el8 |
| redhat/jws5-tomcat | <0:9.0.21-10.redhat_4.1.el8 | 0:9.0.21-10.redhat_4.1.el8 |
| redhat/jws5-tomcat-native | <0:1.2.21-34.redhat_34.el8 | 0:1.2.21-34.redhat_34.el8 |
| redhat/jws5-tomcat-vault | <0:1.1.8-1.Final_redhat_1.1.el8 | 0:1.1.8-1.Final_redhat_1.1.el8 |
| Apache Tomcat | >=8.5.0<=8.5.40 | |
| Apache Tomcat | >=9.0.1<=9.0.19 | |
| Apache Tomcat | =9.0.0-m1 | |
| Apache Tomcat | =9.0.0-m10 | |
| Apache Tomcat | =9.0.0-m11 | |
| Apache Tomcat | =9.0.0-m12 | |
| Apache Tomcat | =9.0.0-m13 | |
| Apache Tomcat | =9.0.0-m14 | |
| Apache Tomcat | =9.0.0-m15 | |
| Apache Tomcat | =9.0.0-m16 | |
| Apache Tomcat | =9.0.0-m17 | |
| Apache Tomcat | =9.0.0-m18 | |
| Apache Tomcat | =9.0.0-m19 | |
| Apache Tomcat | =9.0.0-m2 | |
| Apache Tomcat | =9.0.0-m20 | |
| Apache Tomcat | =9.0.0-m21 | |
| Apache Tomcat | =9.0.0-m22 | |
| Apache Tomcat | =9.0.0-m23 | |
| Apache Tomcat | =9.0.0-m24 | |
| Apache Tomcat | =9.0.0-m25 | |
| Apache Tomcat | =9.0.0-m26 | |
| Apache Tomcat | =9.0.0-m27 | |
| Apache Tomcat | =9.0.0-m3 | |
| Apache Tomcat | =9.0.0-m4 | |
| Apache Tomcat | =9.0.0-m5 | |
| Apache Tomcat | =9.0.0-m6 | |
| Apache Tomcat | =9.0.0-m7 | |
| Apache Tomcat | =9.0.0-m8 | |
| Apache Tomcat | =9.0.0-m9 | |
| Apache Tomcat | =9.0.0-milestone1 | |
| Apache Tomcat | =9.0.0-milestone10 | |
| Apache Tomcat | =9.0.0-milestone11 | |
| Apache Tomcat | =9.0.0-milestone12 | |
| Apache Tomcat | =9.0.0-milestone13 | |
| Apache Tomcat | =9.0.0-milestone14 | |
| Apache Tomcat | =9.0.0-milestone15 | |
| Apache Tomcat | =9.0.0-milestone16 | |
| Apache Tomcat | =9.0.0-milestone17 | |
| Apache Tomcat | =9.0.0-milestone18 | |
| Apache Tomcat | =9.0.0-milestone19 | |
| Apache Tomcat | =9.0.0-milestone2 | |
| Apache Tomcat | =9.0.0-milestone20 | |
| Apache Tomcat | =9.0.0-milestone21 | |
| Apache Tomcat | =9.0.0-milestone22 | |
| Apache Tomcat | =9.0.0-milestone23 | |
| Apache Tomcat | =9.0.0-milestone24 | |
| Apache Tomcat | =9.0.0-milestone25 | |
| Apache Tomcat | =9.0.0-milestone26 | |
| Apache Tomcat | =9.0.0-milestone27 | |
| Apache Tomcat | =9.0.0-milestone3 | |
| Apache Tomcat | =9.0.0-milestone4 | |
| Apache Tomcat | =9.0.0-milestone5 | |
| Apache Tomcat | =9.0.0-milestone6 | |
| Apache Tomcat | =9.0.0-milestone7 | |
| Apache Tomcat | =9.0.0-milestone8 | |
| Apache Tomcat | =9.0.0-milestone9 | |
| redhat/Apache Tomcat | <9.0.20 | 9.0.20 |
| redhat/Apache Tomcat | <8.5.41 | 8.5.41 |
| IBM IBM® Engineering Requirements Management DOORS | <=9.7.2.7 | |
| IBM IBM® Engineering Requirements Management DOORS Web Access | <=9.7.2.7 | |
| maven/org.apache.tomcat.embed:tomcat-embed-core | >=8.5.0<8.5.41 | 8.5.41 |
| maven/org.apache.tomcat.embed:tomcat-embed-core | >=9.0.0.M1<9.0.20 | 9.0.20 |
| ubuntu/tomcat8 | <8.5.39-1ubuntu1~18.04.3 | 8.5.39-1ubuntu1~18.04.3 |
| ubuntu/tomcat8 | <8.5.41 | 8.5.41 |
| ubuntu/tomcat9 | <9.0.16-3ubuntu0.18.04.1 | 9.0.16-3ubuntu0.18.04.1 |
| ubuntu/tomcat9 | <9.0.16-3ubuntu0.19.04.1 | 9.0.16-3ubuntu0.19.04.1 |
| ubuntu/tomcat9 | <9.0.20 | 9.0.20 |
| debian/tomcat9 | 9.0.31-1~deb10u6 9.0.31-1~deb10u12 9.0.43-2~deb11u9 9.0.43-2~deb11u10 9.0.70-2 |
Remedy
pki-servlet-container does not use HTTP/2 in its default configuration.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-10072 https://nvd.nist.gov/vuln/detail/CVE-2019-10072 http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.41 http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.20
- https://bugzilla.redhat.com/show_bug.cgi?id=1723708
- https://access.redhat.com/errata/RHSA-2019:3931
- https://access.redhat.com/errata/RHSA-2019:3929
- https://access.redhat.com/security/cve/cve-2019-10072
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html
- http://www.securityfocus.com/bid/108874
- https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a@%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E
- https://security.netapp.com/advisory/ntap-20190625-0002/
- https://support.f5.com/csp/article/K17321505
- https://usn.ubuntu.com/4128-1/
- https://usn.ubuntu.com/4128-2/
- https://www.debian.org/security/2020/dsa-4680
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://www.synology.com/security/advisory/Synology_SA_19_29
- https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a%40%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
- https://launchpad.net/bugs/cve/CVE-2019-10072
- https://access.redhat.com/security/cve/CVE-2019-0199
- http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.20
- http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.41
- http://mail-archives.us.apache.org/mod_mbox/www-announce/201906.mbox/%3Cca69531a-1592-be7b-60ce-729549c7f812%40apache.org%3E
- https://github.com/apache/tomcat/commit/7f748eb
- https://github.com/apache/tomcat/commit/ada725a
- https://github.com/apache/tomcat/commit/0bcd69c
- https://github.com/apache/tomcat/commit/8d14c6f
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1723711
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1723712
- https://exchange.xforce.ibmcloud.com/vulnerabilities/162806
- https://www.ibm.com/support/pages/node/7124058 (Advisory)
- https://nvd.nist.gov/vuln/detail/CVE-2019-10072
- https://web.archive.org/web/20200227033743/http://www.securityfocus.com/bid/108874
- https://github.com/apache/tomcat/commit/0bcd69c9dd8ae0ff424f2cd46de51583510b7f35
- https://github.com/apache/tomcat/commit/7f748eb6bfaba5207c89dbd7d5adf50fae847145
- https://github.com/apache/tomcat/commit/8d14c6f21d29768a39be4b6b9517060dc6606758
- https://github.com/apache/tomcat/commit/ada725a50a60867af3422c8e612aecaeea856a9a
- https://tomcat.apache.org/security-8.html
- https://tomcat.apache.org/security-9.html
- https://usn.ubuntu.com/4128-1
- https://usn.ubuntu.com/4128-2
- https://security.netapp.com/advisory/ntap-20190625-0002
- https://github.com/advisories/GHSA-q4hg-rmq2-52q9 (Advisory)
- https://security-tracker.debian.org/tracker/CVE-2019-10072
- https://ubuntu.com/security/notices/USN-4128-1
- https://ubuntu.com/security/notices/USN-4128-2
- https://www.cve.org/CVERecord?id=CVE-2019-10072
- https://ubuntu.com/security/CVE-2019-10072
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2019-10072?
CVE-2019-10072 is a vulnerability in Apache Tomcat that allows clients to cause server-side threads to become exhausted.
What is the severity of CVE-2019-10072?
CVE-2019-10072 has a severity rating of 5.3 (Medium).
Which versions of Apache Tomcat are affected by CVE-2019-10072?
Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 are affected by CVE-2019-10072.
How can I fix CVE-2019-10072?
Update your Apache Tomcat installation to version 9.0.20 or later (for 9.x) or version 8.5.41 or later (for 8.5.x).
Where can I find more information about CVE-2019-10072?
You can find more information about CVE-2019-10072 at the following references: - [CVE-2019-10072](https://www.cve.org/CVERecord?id=CVE-2019-10072) - [NVD](https://nvd.nist.gov/vuln/detail/CVE-2019-10072) - [Apache Tomcat Security](http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.41) - [Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=1723708) - [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2019:3931)
- collector/redhat-cve
- collector/nvd-index
- collector/nvd-api
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/first-publish-date
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-10072
- agent/weakness
- agent/severity
- agent/remedy
- agent/author
- agent/description
- agent/event
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup-request
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-q4hg-rmq2-52q9
- agent/references
- agent/last-modified-date
- collector/github-advisory
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- package-manager/redhat
- vendor/apache
- canonical/apache tomcat
- version/apache tomcat/8.5.0
- version/apache tomcat/8.5.40
- version/apache tomcat/9.0.1
- version/apache tomcat/9.0.19
- version/apache tomcat/9.0.0-m1
- version/apache tomcat/9.0.0-m10
- version/apache tomcat/9.0.0-m11
- version/apache tomcat/9.0.0-m12
- version/apache tomcat/9.0.0-m13
- version/apache tomcat/9.0.0-m14
- version/apache tomcat/9.0.0-m15
- version/apache tomcat/9.0.0-m16
- version/apache tomcat/9.0.0-m17
- version/apache tomcat/9.0.0-m18
- version/apache tomcat/9.0.0-m19
- version/apache tomcat/9.0.0-m2
- version/apache tomcat/9.0.0-m20
- version/apache tomcat/9.0.0-m21
- version/apache tomcat/9.0.0-m22
- version/apache tomcat/9.0.0-m23
- version/apache tomcat/9.0.0-m24
- version/apache tomcat/9.0.0-m25
- version/apache tomcat/9.0.0-m26
- version/apache tomcat/9.0.0-m27
- version/apache tomcat/9.0.0-m3
- version/apache tomcat/9.0.0-m4
- version/apache tomcat/9.0.0-m5
- version/apache tomcat/9.0.0-m6
- version/apache tomcat/9.0.0-m7
- version/apache tomcat/9.0.0-m8
- version/apache tomcat/9.0.0-m9
- version/apache tomcat/9.0.0-milestone1
- version/apache tomcat/9.0.0-milestone10
- version/apache tomcat/9.0.0-milestone11
- version/apache tomcat/9.0.0-milestone12
- version/apache tomcat/9.0.0-milestone13
- version/apache tomcat/9.0.0-milestone14
- version/apache tomcat/9.0.0-milestone15
- version/apache tomcat/9.0.0-milestone16
- version/apache tomcat/9.0.0-milestone17
- version/apache tomcat/9.0.0-milestone18
- version/apache tomcat/9.0.0-milestone19
- version/apache tomcat/9.0.0-milestone2
- version/apache tomcat/9.0.0-milestone20
- version/apache tomcat/9.0.0-milestone21
- version/apache tomcat/9.0.0-milestone22
- version/apache tomcat/9.0.0-milestone23
- version/apache tomcat/9.0.0-milestone24
- version/apache tomcat/9.0.0-milestone25
- version/apache tomcat/9.0.0-milestone26
- version/apache tomcat/9.0.0-milestone27
- version/apache tomcat/9.0.0-milestone3
- version/apache tomcat/9.0.0-milestone4
- version/apache tomcat/9.0.0-milestone5
- version/apache tomcat/9.0.0-milestone6
- version/apache tomcat/9.0.0-milestone7
- version/apache tomcat/9.0.0-milestone8
- version/apache tomcat/9.0.0-milestone9
- vendor/ibm
- canonical/ibm ibm® engineering requirements management doors
- version/ibm ibm® engineering requirements management doors/9.7.2.7
- canonical/ibm ibm® engineering requirements management doors web access
- version/ibm ibm® engineering requirements management doors web access/9.7.2.7
- package-manager/maven
- package-manager/debian
- package-manager/ubuntu